This session will review how AWS allows FinTech’s across APAC to innovate at pace while maintaining the high level of security expected by the financial services community. We will review security domains including Infrastructure Security, Data Protection, Logging & Monitoring, Identity & Access Management and Intrusion Detection.
2. Agenda
• The Current Problem
• AWS Shared Security Model
• AWS Compliance
• 5 Core Security Epics
• IAM
• Logging & Monitoring
• Data Protection
• Infrastructure Security
• Incident Response
3. The Problem
Evolving & Complex
Threat Landscape
Infrequent Security
Reviews
Heavily Regulated
Control Requirements
Lack of automation
introduces error
4. Current Security, Risk & Compliance Teams
Operating as separate functions can no longer exist
Static position papers,
architecture diagrams &
documents
UI-dependent consoles and
technologies
Auditing, assurance, and
compliance are decoupled,
separate processes
Current SRC
Teams
5. Next-Gen Security, Risk & Compliance Teams
All should be be part of the ‘maker’ team.
Architecture artifacts
(design choices, narrative,
etc.) committed to common
repositories
Complete solutions account
for automation
Solution architectures are
living audit/compliance
artifacts and evidence in a
closed loop
Evolved SRC
Teams
AWS
CodeCommit
AWS
CodePipeline Jenkins
16. • One-click Encryption of server and database
storage
• Centralized key management
• (create, delete, view, set policies)
• Import your own keys
• Enforced, automatic key rotation
• Visibility into any changes via CloudTrail
Encryption with AWS KMS
18. • You receive dedicated access to HSM
appliances
• Managed and monitored by AWS
• HSMs located in AWS data centers
• SafeNet Luna SA HSM appliances
• Only you have access to your keys and
operations on the keys
• HSMs are inside your Amazon VPC —
isolated from the rest of the network
• HA with your on-prem HSM
CloudHSM
AWS administrator—
Manages the appliance
You—Control keys and
crypto operations
Amazon VPC
AWS CloudHSM
20. VPC: Private, isolated network on the AWS cloud
AvailabilityZoneA
AvailabilityZoneB
AWS Virtual Private
Cloud
• Private and logically isolated
section of the AWS cloud
• You choose a private IP range for
your VPC
• Segment this into subnets to
deploy your compute instances
AWS network security
• AWS network will prevent spoofing
and other common layer 2 attacks
• You cannot sniff anything but your
own EC2 host network interface
• Control all external routing and
connectivity
22. VPC Flow Logs
• Agentless
• Enable per ENI, per subnet, or per VPC
• Logged to AWS CloudWatch Logs
• Create CloudWatch metrics from log data
• Alarm on those metrics
AWS
account
Source IP
Destination IP
Source port
Destination port
Interface Protocol Packets
Bytes Start/end time
Accept
or reject
23. AWS Shield: DDoS Protection
ü Protection against most common
infrastructure attacks
ü SYN/ACK Floods, UDP Floods,
Refection attacks etc.
ü No additional cost
DDoS mitigation
systems
DDoS Attack
Users
24. AWS WAF – Layer 7 application protection
HTTP floods Scanners and
probes
SQL injection
Bots and
scrapers
IP reputation
lists
Cross-site
scripting
Self-service AWS WAF: Preconfigured protections
25. Next-Generation Firewalls
• Next-Gen Firewall (NGFW) and Application Inspection
• Intrusion Prevention/Detection (IPS/IDS)
• Auditing, Analytics, Compliance and Reporting
• Comments for individual rules
• Central Management
• Troubleshooting
• Single pane of glass with on-premises
• Beyond 250 rules per instance
• IP Reputation
• Additional security features
• Deep Packet Inspection, Web Application Firewall, URL Filtering
26. Host Based Security
• Host Intrusion Detection
Preventions (HIDS)
• Agent-based solution
scales as instances scale
• Agent can be monitoring
and controlled centrally
• Access to unencrypted
data and process and user
contextHost-based Security Host-based Security
Central Monitoring
and Control
28. Amazon CloudWatch Events
Changes to AWS resources are delivered
to your application in near real-time
React to suspicious, risky, or problematic
situations programmatically, without
having to involve an operator
29. CloudWatch Events – Near real-time response time!
Detect malicious API and
automate response.
If trail.StopLogging {
user.disable
trail.StartLogging
email.security_team
}
Bake these automated response controls into your CloudFormation
templates
31. AWS Config Rules
• Set up rules to check configuration
changes recorded
• Use pre-built rules provided by AWS
• Author custom rules using AWS Lambda
• Invoked automatically for continuous
assessment
• Use dashboard for visualizing compliance
and identifying offending changes
36. Sources of Best Practices
AWS Cloud Adoption
Framework (CAF)
AWS Security Best
Practices
Center for Internet
Security (CIS)
Benchmarks
How to move to the cloud securely
including the “Core Five Epics”:
• Identity and Access Management
• Logging and Monitoring
• Infrastructure Security
• Data Protection
• Incident Response
Whitepaper with 44 best practices
including:
• Identity and Access Management
(10 best practices)
• Logging and Monitoring (4)
• Infrastructure Security (15)
• Data Protection (15)
Detailed recommendations for
configuration and auditing covering:
• “AWS Foundations” with 52
checks aligned to AWS Best
Practices
• “AWS Three-Tier Web
Architecture” with 96 checks for
web applications
37. AWS CloudFormation – Everything as Code
Template StackAWS
CloudFormation
ü Orchestrate changes across AWS
Services
ü Use as foundation to Service Catalog
products
ü Use with source code repositories to
manage infrastructure changes
ü JSON/YAML-based text file describing
infrastructure
ü Resources created from
a template
ü Can be updated
38. Conclusion
Evolving & Complex
Threat Landscape
Infrequent Security
Reviews
Heavily Regulated
Control Requirements
Lack of automation
introduces error
Make security
easy for everyone.
Build it in by
default.
Evaluate security
& compliance
continuously.
Automate
response to scale
Build control
requirements into
CloudFormation
and blueprints for
re-use. Be
Consistent.
To remove human
error, remove
humans.
Automation
improves
consistency.